A bear can give the nft but then get the premium+collateral which they shouldn't get if they are the buyer of order
Summary
A bear that pays the premium and fees can then transfer the nft and get the collateral + premium which is too many funds and then funds can be stolen
Vulnerability Detail
Since there is no indication that this is a put or call option the bear can pay the preimum+fees but they can call settleContract() with the nft and get the collateral which is more than the nft causing loss of funds because
what should happen is that in this case of setttleContract the bear is the writer to give the nft but that isn't checked in settleContract.
steps:
Alice(bear)
bob(bull)
Alice takes the order and becomes the bear and pays (premium+fees)
Bob pays the collateral + fees) But Alice could give the nft but getcollateral+preimumwhich doesn't make sense because Alice inmatchOrder pays thepreimum+fees` so in that case, Alice shouldn't be getting back the premium which is the incentive for the seller that the bull should get and is not getting.
Impact
This can lead to a loss of funds and the bull not getting the funds they desire and the buyer can always transfer the nfts and get Their premium back.
Code Snippet
uint256 bearAssetAmount = order.premium + order.collateral;
if (bearAssetAmount > 0) {
// Transfer payment tokens to the Bear
IERC20(order.asset).safeTransfer(bear, bearAssetAmount);
}
simon135
high
A bear can give the nft but then get the
premium+collateral
which they shouldn't get if they are the buyer of orderSummary
A bear that pays the premium and fees can then transfer the nft and get the collateral + premium which is too many funds and then funds can be stolen
Vulnerability Detail
Since there is no indication that this is a put or call option the bear can pay the
preimum+fees
but they can callsettleContract()
with the nft and get the collateral which is more than the nft causing loss of funds because what should happen is that in this case ofsetttleContract
the bear is the writer to give the nft but that isn't checked insettleContract
. steps: Alice(bear) bob(bull) Alice takes the order and becomes the bear and pays (premium+fees) Bob pays thecollateral + fees) But Alice could give the nft but get
collateral+preimumwhich doesn't make sense because Alice in
matchOrderpays the
preimum+fees` so in that case, Alice shouldn't be getting back the premium which is the incentive for the seller that the bull should get and is not getting.Impact
This can lead to a loss of funds and the bull not getting the funds they desire and the buyer can always transfer the nfts and get Their premium back.
Code Snippet
https://github.com/sherlock-audit/2022-11-bullvbear/blob/main/bvb-protocol/src/BvbProtocol.sol#L449-L453
Tool used
Manual Review
Recommendation
I recommend checking that his logic is correct and making indication what action is happening and whose the writer and buyer
Duplicate of #132